Ticketmaster must pay a hefty $10 million fine after several employees utilized unlawfully obtained passwords to hack a rival company’s computer systems – in attempts to “choke off” its business.
The American ticket sales and distribution giant, which is owned by Live Nation, in 2013 hired an employee who formerly worked for Ticketmaster’s rival company (reported by some outlets to be Songkick, a now-defunct company that offered concert pre-sale tickets), according to the Department of Justice (DoJ) last week.
This co-conspirator illegally retained credentials from the rival firm, which he and other Ticketmaster executives then used to hack into the victim company’s systems. From there, they were able to monitor the company’s draft ticketing web pages, allowing them to find out which artists planned to use the rival company to sell tickets. They were also able to hack into and snoop on the company’s Artist Toolbox, a password-protected app that provides real-time data about ticket sales.
“When employees walk out of one company and into another, it’s illegal for them to take proprietary information with them,” said FBI Assistant Director-in-Charge Sweeney in a statement. “Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law. This investigation is a perfect example of why these laws exist — to protect consumers from being cheated in what should be a fair market place.”
The Hack
According to court documents, the former senior employee (who as of now remains unnamed) of the victim company worked there between May 2010 to July 2012. In 2012, he signed a separation agreement with the victim company upon leaving, in which he agreed to maintain the confidentiality of that company’s sensitive data, before joining Live Nation in August 2013.
In 2013, this former employee shared with former Ticketmaster head of the Artist Services division Zeeshan Zaidi the URLs for draft ticketing web pages of the victim company, which were not public.
“In response to a Ticketmaster executive explaining that the goal was to ‘choke off [victim company]’ and ‘steal back one of [the victim company]’s signature clients,’ co-conspirator 1 offered that Ticketmaster could ‘cut [victim company] off at the knees’ if they could win back presale ticketing business for a second major artist that was a client of the victim company,” according to the DoJ.
Then, the former employee sent Zaidi and another Ticketmaster executive multiple sets of usernames and passwords for the victim company’s password-protected Artist Toolbox app, and encouraged them to “screen-grab the hell out of the system.” The co-conspirators even went so far as to use the passwords to access the app in a live demo at a Ticketmaster internal summit, in front of at least 14 other Ticketmaster and Live Nation employees, according to the DoJ.
The former employee in 2015 was promoted and given a raise; meanwhile, Ticketmaster employees continued to access the Artist Toolbox app through December 2015.
Next Steps
In 2015, the victim company filed a civil complaint against Live Nation and Ticketmaster alleging antitrust violations. That lawsuit was amended in 2017 to add allegations that Ticketmaster had accessed the company’s computer systems without authorization. In 2017, both the former employee and Zaidu were then terminated by Ticketmaster.
Last week’s fine against Ticketmaster resolves charges that the company “repeatedly accessed without authorization the competitor’s computer systems.” The fine is part of a deferred prosecution agreement that Ticketmaster entered with the U.S. Attorney’s Office for the Eastern District of New York to resolve a five-count criminal complaint filed today charging computer intrusion and fraud offenses. As part of the charges, on Oct. 18, 2019, Zaidi pled guilty in a related case to conspiring to commit computer intrusions and wire fraud based on his participation in this scheme.
This is also not the first time Ticketmaster has found itself up against a hefty fine for cybersecurity-related issues. In November, Ticketmaster’s U.K. division was slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4 million customers.
The incident points to employee insider threats facing many companies – an issue that is particularly worrying today as many may feel stressed or disillusioned by their workplace during today’s shaky, COVID-19-disrupted economy. One specific concern for companies reflected by this particular case is illegal employee data retention after leaving a firm. For instance, last year a former Cisco employee was sentenced to two years in jail after he hacked into Cisco’s Webex collaboration platform – after leaving the firm.
A Ticketmaster spokesperson told Threatpost, “Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!